ARP Configuration Issue: Port Assignment and Lost Internet Connection

Hello,

I would like to know if it's possible to specify which port is used by the IP addresses listed in my ARP table:

root@Router3:~# arp
IP address       HW type     Flags       HW address            Mask     Device
192.168.1.245    0x1         0x2         00:e0:4c:68:26:6f     *        br-lan
192.168.1.128    0x1         0x2         f4:4d:30:1c:0f:86     *        br-lan
192.168.1.1      0x1         0x2         10:06:45:c1:96:20     *        br-wan

I would like to have this result instead:

root@Router3:~# arp
IP address       HW type     Flags       HW address            Mask     Device
192.168.1.245    0x1         0x2         00:e0:4c:68:26:6f     *        lan2
192.168.1.128    0x1         0x2         f4:4d:30:1c:0f:86     *        lan4
192.168.1.1      0x1         0x2         10:06:45:c1:96:20     *        br-wan

However, the br-lan bridge is causing me some trouble; whenever I try to detach the lan4 port, I lose internet access, and the router doesn't recognize the lan4 connection.

Do you know of any way to achieve this?

Thank you for your response!

That's the idea - if you detach it from the bridge, it's like pulling the cable.

Could you please clarify what the relation between your two questions is? What exactly would you like to achieve, i.e. what is your end goal? As far as I've understood, you would like to know which neighboring IP address is associated with which physical port?

The reason for your dodgy connection is likely because the lan and wan seem to be in the same IP subnet. This breaks the routing process.

Anyway that is not what ARP is for. ARP is listening to a virtual Ethernet port called br-lan, which is one of the ports of an internal layer 2 switch (implemented in software and/or hardware). In order to dispatch a unicast packet on an Ethernet network, it must have a destination MAC address, but the web browser etc only knows a destination machine by its IP address. ARP is the process the kernel uses to associate MAC addresses from IP addresses. Once the MAC has been attached to the packet, it is sent into the switching logic via the kernel's port on br-lan. The layer 2 switching will direct it out to the proper port.

To find out which device MAC is on which switch port you'd need to query the switch itself. This is a common practice with stand-alone switch hardware but I don't know if DSA has any provision for such a query.

Thank you for your assistance!

I will try to be as clear as possible and provide as much information as I can about my project.

I am currently working on a bash script that allows me to launch specific configurations on my Mikrotik RB760iGS router with Openwrt 23.05.2.

This project is for educational purposes to help cybersecurity students understand the workings of vulnerabilities in an internal network. I have created several vulnerabilities with the firewall by replacing the usual connection ports such as SSH or postfix, etc.

Now, I would like to create a "HUB" so that students can sniff packets on port lan4 of another student connected to the router at port lan2.

The idea is simply to find the username and password of an unprotected HTTP site. Here is the website I use: http://testphp.vulnweb.com/login.php

I have used the port-mirroring package and established this configuration by knowing the IP of the PC that is sniffing:

config port-mirroring
        option source_ports 'lan2'
        option promiscuous '1'
        option target '192.168.1.128'
        option protocol 'TZSP'

However, I would rather have this configuration with 2 ports to sniff if possible (it's not a problem if we can't), but most importantly, I want it to work without needing to configure it every time, knowing each of the students' IP addresses for it to work. Ideally, I would have 15 routers, so it could be complicated to retrieve each IP address every time.

My network configuration is the default one:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd20:6687:db37::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config device
        option name 'lan2'
        option macaddr 'dc:2c:6e:9d:0e:dd'

config device
        option name 'lan3'
        option macaddr 'dc:2c:6e:9d:0e:de'

config device
        option name 'lan4'
        option macaddr 'dc:2c:6e:9d:0e:df'

config device
        option name 'lan5'
        option macaddr 'dc:2c:6e:9d:0e:e0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'wan'
        list ports 'sfp'

config device
        option name 'wan'
        option macaddr 'dc:2c:6e:9d:0e:dc'

config device
        option name 'sfp'
        option macaddr 'dc:2c:6e:9d:0e:dc'

config interface 'wan'
        option device 'br-wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'br-wan'
        option proto 'dhcpv6'

My firewall configuration looks like this:

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-SSH-WAN'
        option src 'wan'
        option dest_port '22'
        option target 'ACCEPT'

config rule
        option name 'Allow-HTTP-WAN'
        option src 'wan'
        option dest_port '80'
        option target 'ACCEPT'

config rule
        option name 'Allow-HTTPS-WAN'
        option src 'wan'
        option dest_port '443'
        option target 'ACCEPT'

So the ultimate goal is to not need to fill in an IP address but just the interface we would like to sniff.

Like this :

config port-mirroring
        option source_ports 'lan2'
        option promiscuous '1'
        option target 'lan4'
        option protocol 'TZSP'

I hope I have been clear. If you need further clarification or information about the project, please don't hesitate to ask!

Thank you for your assistance!

Thanks for the clarification - I can't see the connection to your question on ARP, though.

Why don't you instruct your students to do remote capturing instead (e.g. via sshdump of wireshark or via a pipe over SSH)? Or use a switch with port mirroring capabilities.

Actually, I couldn't find a solution to configure it without knowing the IP of the PC that is sniffing, so I wanted to try to automatically retrieve the IP address connecting to port lan4 and place it in a variable in the configuration of the port-mirroring package.

You could use hotplug to detect when a port is up (although I just read that this doesn't work). See here for problem and workaround. And then you detect the IP address the DHCP server is handing out and you've got it.

But still: I would go with remote capture instead.